SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

STORM CENTER TECH CORNER

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today. http://www.sans.org/info/180747

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course. http://www.sans.org/u/dgM

TOP OF THE NEWS

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that's been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government's request, and denied the government's request to legally compel Apple's help. -http://www.theverge.com/2016/2/29/11135986/new-york-apple-fbi-iphone-encryption-ruling

US Military Using Cyberweapons Against Islamic State (February 29, 2016)

Pentagon officials said that US Cyber Command is using cyberweapons to disrupt Islamic State's ability to communicate, manage finances, and control forces. The effort is "the first major integration of US Cyber Command into a major battlefield operation since the command was established in 2009." (Please note: the WSJ site requires a subscription.) -http://www.wsj.com/articles/pentagon-deploys-cyberweapons-against-islamic-state-1456768428-http://www.latimes.com/nation/la-fg-isis-cyber-20160228-story.html[Editor's Note (Assante): The use of cyber weapons to accomplish the stated goal of "degrading and destroy ISIS" makes complete sense. Cyber weapons may be one of the more power options in our arsenal that aligns with hitting one of ISIS' strengths of using the Internet to spread their message of hatred, recruit, and coordinate support and resources. I suggest procedures are employed to limit the risk of third-parties or the target learning too much from our cyber campaign. (Williams): "Its effect and extent are difficult to assess." Expect this to be the new normal for "cyberwar." Unlike conventional warfare, the effects of network attack are often difficult to assess because cyber attack and intelligence gathering are mutually exclusive activities. ]

CTB Locker Ransomware Targeting Websites (February 29, 2016)

A new variant of CTB Locker ransomware is now targeting WordPress-based websites. The malware's source code has been uploaded for researchers to examine, but there is currently no way to decrypt the files without paying the ransom. The ransomware will not work if the sites do not use PHP. -http://www.theregister.co.uk/2016/02/29/reinvented_ransomware_shifts_from_pwning_pc_to_wrecking_websites/[Editor's Note (Ullrich): We are seeing more and more ransomware attacking servers. CBT locker isn't actually "that bad" in that it makes itself known very quickly. But more severe forms of ransomware targeting servers can linger for months, making backups useless as they only back up encrypted files. ]

The US plans to renegotiate certain terms of the Wassenaar Arrangement, which places restrictions on the export of dual-use technologies that could be dangerous if they fell into the wrong hands. The changes will affect intrusion software, which was added to Wassenaar in a 2013 amendment. Civil liberties groups and the technology sector have expressed frustration with the software's inclusion in the agreement because it limits companies' ability to use the tools to evaluate their own security. Wassenaar has 41 participating nations. -https://www.eff.org/deeplinks/2016/02/victory-state-department-will-try-fix-wassenaar-arrangement-http://thehill.com/policy/cybersecurity/271204-obama-administration-to-renegotiate-international-anti-hacking-regs[Editor's Note (Williams): This story shows what can happen when we band together as an industry to effect changes in policy. If we as infosec professionals don't speak to policy makers in terms that they can understand, we are doomed to be governed by ineffective and harmful legislation and government regulation. ]

The Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens' data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation. -http://fortune.com/2016/02/25/safe-harbor-crackdown/?mod=djemRiskCompliance

IRS Breach Now Estimated to Affect 724,000 People (February 26 and 27, 2016)

IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations. -http://www.kb.cert.org/vuls/id/419128*********************************************************************** The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/